The GDPR (effective May 25 2018) imposes new privacy compliance obligations on organizations. The GDPR supersedes the EU Data Protection Directive (the “Directive”), thus, organizations that have agreements with suppliers and service providers that comply with the Directive may need to update those agreements to comply with the GDPR. Additionally, organizations that were not subject to the Directive may now be subject to the GDPR.
Do you comply with GDPR?
GDPR Readiness assessment. We will assess your level of compliance with the GDPR and identify key gaps. We will present the GDPR Gap Assessment Report with GDPR gaps, their risk levels and recommendations on how to close them.
GDPR Roadmap. We will prepare a detailed and actionable implementation plan to ensure GDPR compliance.
Purpose and legal basis of data processing. We will identify the processing activities and help to set their legal basis and purposes.
Have you updated your data privacy documentation?
Data processing rules. We will draft data processing rules or review your current internal documentation, state key principles concerning personal data processing, responsibilities and provide recommendations on appropriate technical and organizational measures.
Data subjects consents. We will prepare or review current data subjects’ consents for the processing of personal data. We will state if consents comply with GDPR, and if needed, we will update them accordingly.
Data processing agreements. We will prepare or review your current agreements with data processors and joint controllers.
Responsibilities matrix. We will allocate responsibilities and obligations in relation to the GDPR.
Do you comply with new obligations?
Records of processing activities/ Data register. We will prepare the form of records of processing activities / Data register.
Information notice for data subjects. We will draft or review the current form of information on personal data processing provided to data subjects.
Data breach notification. We will prepare data breach notification policy and templates for notification on personal data breach to the supervisory authority and data subjects.
Data Protection Impact Assessment. In accordance with identified processing activities, we will prepare data protection impact assessment procedure for processing activities which may result in a high risk to the rights and freedoms of natural persons.
Have you implemented adequate technical and organizational measures?
Data flows and classification. We will draft or review your current data strategy, data models, data flow diagrams and data classification scheme based on processing activities and IT systems.
Data retention and erasure procedure and retention periods. We will review your current data retention and erasure procedure and retention periods for personal data processing. We will suggest retention periods based on your business needs and in accordance with applicable legislation.
Business requirements for IT applications. We will define the change request for your IT applications and discuss them with your IT vendors.
Risk analysis of IT systems. Based on our created methodology, we will assess your current IT solutions, review risks that may arise and make recommendations to address such risks. Our methodology is based not only on relevant legislation but also on best practices and international standards (such as ISO 27001).
Interface list. In order to ensure that all data stored in IT systems are known and properly managed, we will prepare a detailed list of IT systems, the personal data contained therein and their interface.
Access matrix. We will review access roles and their assignment process based on the principles of data protection by default and limited access to data. We will propose a new access matrix.
Encryption. We will review current technical measures which maintain the confidentiality of processed personal data. We will provide recommendations on how to implement appropriate encryption measures.
Are your employees aware about GDPR?
Awareness of employees. We will prepare training materials related to data protection and provide training to relevant employees.